Everything points to this being an interesting bug. Immunity have released a blog post indicating that there was actually two different 0-day bugs being exploited to achieve full compromise from the PoC:

There are 2 different zero-day vulnerabilities used in this exploit: one is used to obtain a reference to the sun.awt.SunToolkit class and the other is used to invoke the public getField method on that class.

played with the metasploit module last night briefly. Tested against Windows 8 and Defender grabbed it. Attempted to send it to Win7 and WinXPSP3 but kept getting an error on the victim. Then got tired and went to sleep.

We've updated the Microsoft Services Agreement, which governs many of our online services - including your Microsoft account and many of our online products and services for consumers, such as Hotmail, SkyDrive, Bing, MSN, Office.com, Windows Live Messenger, Windows Photo Gallery, Windows Movie Maker, Windows Mail Desktop, and Windows Writer. Please read over the new Microsoft Services Agreement here to familiarize yourself with the changes we've made. The updated agreement will take effect on October 19, 2012. If you continue to use our services after October 19th, you agree to the terms of the new agreement or, of course you can cancel your service at any time. We have modified the agreement to make it easier to read and understand, including using a question and answer format that we believe makes the terms much clearer. We also clarified how Microsoft uses your content to better protect consumers and improve our products, including aligning our usage to the way we're designing our cloud services to be highly integrated across many Microsoft products. We realize you may have personal conversations and store personal files using our products, and we want you to know that we prioritize your privacy. Finally, we have added a binding arbitration clause and class action waiver that affects how disputes with Microsoft will be resolved in the United States. Thank you for using Microsoft products and services! ________________________________________

The 'write once, run anywhere' software platform has become a favorite of cyber attackers. Is it time for users to kill their Java?

Security firms are being none too gentle with Oracle's Java following the revelation this week that attackers are using two unpatched Java vulnerabilities to compromise selected targets. The most common advice: Uninstall the Java plug-in in your browser and don't use services that require the software.

On Monday, security firm FireEye revealed that a customer had been attacked with a previously unknown vulnerability. Yet Oracle already knew about the security issue and apparently had an update at the ready to be released on its regularly scheduled patch day in October. With reliable exploits for the vulnerabilities rapidly being adopted by security researchers and cyber criminals alike, the company rushed out a fix for the flaw on Thursday.

Overall, the incident has left a bitter taste in the collective mouths of many security professionals.

"I think there is a lot of sentiment toward not using Java at all if you can avoid it," says Stephen Cobb, security evangelist for antimalware firm ESET. "That is what I would say, and I'm not the first to say that, and I'm not alone in saying that."

Security firm Sophos is among the many to recommend that users turn off the Java plug-in within the browser. And the U.S. Computer Emergency Readiness Team (CERT), the response agency for the U.S. government, offered advice for system administrators that boiled down to "remove Java plug-ins." In April, InfoWorld covered the backlash against Java in the wake of the infection of more than 600,000 Mac computers by the Flashback Trojan and pointed out why removing Java infrastructure is not an option for many enterprises.

While Oracle is not to blame for malicious actors using Java, the company needs to clarify its commitment to securing the platform, argues ESET's Cobb.

An analysis of the flaws found that Oracle introduced the issues into Java 7 a year ago and warned that while it was found recently, cyber criminals and intellectual-property thieves had likely been using the attack for months.